Archive

There is a nasty botnet trolling WordPress sites trying to log in with the default admin user name and using “brute-force” methods to crack the passwords. Our advice to save your wordpress blog from being hacked is to change admin as the login name to something else and use strong passwords.

Matt Mullenweg, the founder of WordPress, advises the same thing on his blog. He also said to turn on the two-step authentication, which prompts you to enter a secret number you get from the Google Authenticator App on your smartphone. To make as secure an environment as you can, ensure that the latest version of WordPress is installed as well.

“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg writes to assure 64 million WordPress users.

Missing homework used to be blamed on the family dog, but now the focus has shifted to the computer. And sometimes – as this user note shows – malware really is to blame.

“My avast! Free version will not let me check teacher’s blogs at my daughter’s high school website. avast! just started blocking this site about 1 week ago. We can’t find any way on avast! Free to “allow” a trusted site. What do we do?” wrote a concerned parent from Harrison High School in Georgia.

“For unprotected visitors, it was the same schema as usual, says Jan Sirmer, analyst at the AVAST Virus Lab. “A screen with a fake AV appears in browser and forces you to download that AV and pay money for it.”

“The attack, not surprisingly :), focused on WordPress,” he adds. “There were redirections to sub-sites at rr.nu. There we detected more sites such as cie69svoi.rr.nu and ordonv12ectorct.rr.nu. Those sites redirected visitors to a site with the rogue antivirus.”

In this case, the concerned parents did the right thing. Instead of switching their avast! off to they could visit this “trusted” site, they wrote a note to the AVAST Virus Lab. That likely saved them from installing a fake antivirus on their computer. Read more…

Assassinscreedfrance.fr, a French fan site for the wildly popular computer game, is still infected.

For over 8 weeks, the site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise.

So far, avast! has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March.

Powered by variants of the ZeuS Trojan, this collection of botnets has stolen over $100 million from small and medium-sized businesses.

The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers. Read more…

Not everyone appreciates an avast! warning. Some IT professionals find it hard to believe that an infection has taken place on the computers and the networks under their supervision.

“In today’s update you have included their website as being infected and harmful,” complained one web developer in an email to AVAST Software. “For the last month, it has been a brand new site. I have scanned the site with several online website scanners and they all come up clean.”

AVAST Software sends out a lot of warnings to users. During January of 2012, we recorded 1.87 billion incidents of our users encountering malware.

In this specific case, the company owners had avast! on their own computers and they were getting warnings that their site was infected. Even worse, because their avast! was blocking them from accessing their own site, they realized potential customers were also getting shut out – costing them money.

While online scans from two other security suppliers did not detect anything, Jiri Sejtko at the AVAST Virus Lab did. Read more…

When we looked into the recent wave of WordPress site hacks, our investigation took two separate paths: uncovering the TimThumb vulnerability and the Black Hole Toolkit used to exploit it.

Now it is time to talk more in detail about what the Blackhole Toolkit is.

For starters, the Blackhole exploit kit is used to spreading malicious software to users through hacked legitimate sites. It was most likely made by Russia developers. The big clue for this is that operators can switch between Russia and English languages. The full version of this toolkit costs around $1500 on the black market. However, bargain hunters can find a stripped down version for the free online.

But, much more important than acquiring Blackhole is finding out how to get rid of it. More precisely, simply finding out if you have been infected. So, how can website owner recognize that his page was infected and has been blocked by an antivirus program because it is being misused as a redirector to site with Blackhole exploit kit? And how do they compromise your site?